Why 5G Requires New Approaches to Cybersecurity

A brief history of Wireless Networks

The first professional wireless network was developed at the University of Hawaii in 1969. The first commercial wireless network, WaveLAN product, was developed in 1986 by NCR. The second generation of wireless networks known as GSM was deployed in 1992. New standards were adopted every nine years, and in 2001, various 3G standards started popping up with equally competing deployments. After another cycle of nine years, 4GLITE wireless technology was deployed and soon became the dominant technology by wireless service providers. The fifth-generation technology for cellular networks, 5G, was deployed in 2019 and is currently expected to dominate the wireless technology market globally by 2025.

A New Era of 5G Wireless

News about fifth-generation technology (5G) is a fire in the digital world. 5G networks promise download speeds of 10 to 20 times faster than legacy networks. It aims at enveloping the world, and that’s what makes it an international concern as far as ensuring its integrity, availability, and confidentiality. It promises to deliver amazingly faster networks that it will accommodate more devices than the existing telecommunication infrastructure. A forecast into potential use cases predicts that the 5G network is likely to aid in the efficient implementation of augmented systems and making the Internet of Things a reality. It foresees the network supporting millions and millions of devices, from smart kitchen equipment and phones to critical functions such as emergency communications and power plants. The fourth-generation (4G) infrastructure supports fewer devices and delivers fewer critical services. Dependence on 5G would increase the impact on societies if the infrastructure were to fail. However, some critics maintain that the risks from 5G are overhyped. So far, not so many new use cases have emerged. There’s a huge capital expense required for rollout, and approval from relevant authorities such as Information Technology, energy, and transport is needed.

The current 5G network infrastructure is not a revolutionary telecommunication transformation, but an evolution or enhancement of the previous generations of telecommunication equipment. At present, 5G networks are non-stand-alone, implying that they relatively depend on the earlier networks too. Optimistically, future 5G networks are likely to be stand-alone due to revolutionary technologies, although this kind of network is not yet feasible. There is on-going research to make stand-alone 5G networks a reality by several countries. Regardless, both stand-alone and non-stand-alone networks are characterized by their ability to accommodate more devices, minimal transmission delays, and high speeds. Achieving such characteristics requires a shift of focus from hardware to software, as it relies on technologies such as virtualization and edge computing to move processing power closer to the end-user. From studies, I predict that this kind of advancement will enable this fifth generation of a telecommunications network to support even more functions across the globe, from smart autonomous house gadgets, self-driving cars, smart roads, to smart cities.

5G Network Layers

5G comprises of multiple “layers” that perform varying parallel functions across the network. Every layer has access to a given amount of data and can convey data packets efficiently within the network envelope. Additionally, every component within a layer also receives and transport data packets across the network depending on the degree rights they have to access the other parts of the network.

Layer and examples***

Function

Degree of Access to Data**

Impact Radius

Importance*

An end-user device such as IoT devices

How the client carries out various functions using the network

Varies

Limited

Varies

Access Layer

Mostly categorized as edge as it communicates directly with the end-user device to transport packets.

Low

Local

Medium

Transport Layer

Moves information between nodes

Low

Local

low

Switching and Routing

Chiefly categorized as the core.

Determines which information is significant and where packets need to be conveyed.

Moderate

Local or network-wide***

Medium

Management Pane

Coordinates all other functions, often categorized as core

High

Network-wide

High

5G networks are chiefly divided into two groups, that is, the core and the edge. The core consists of critical components or those components with significant control over the network than the edge components. Core components have much data about the network and include activities such as switching and routing functions on base stations. Because the core has functions that overlay and control the entire network, it would be a catastrophe if the network is compromised. The impact on the whole network would be extremely high. Network as the whole ceases to operate without these functions. For such reasons, 5G networks in the UK will have relatively more cores than the previous telecommunication generations, but with the exact number and location depends on the purview of the operators.

Edge functions, however, are located at the periphery of the network. Although the definition of core and edge is not a precise science, this article describes edge components as those found within the access layer of the network, a definition derived from the National Computer Security Center. This part of the network is close to end-users and forms the link between the network and its clients. It contains and conveys data such as the type of information sent to and from the network by customers, the identity of who is accessing the network, and so on. Failure of edge components such as radio access network (RAN), only affects a small local area of the network, which is easily identified, isolated, and rectified. Being at the periphery, the impact of the failure of an edge component has limited impact radius, and limited access to the sensitive data helps run the network.

5G has brought with it the tremendous promise of efficiency and reliability. Although even as we race towards a connected future, we must place an equivalent focus on the security of those specific components of the network infrastructure, such as connections, applications, or software and devices within the network. The building or creating a network on top of a weak cybersecurity foundation is equivalent to building a luxurious mansion on sand that would be swept away with the slightest sea waves and tides. These risks, therefore, surpass just the end-user and can be considered as a global concern.

Hyper-Focus on Huawei

The better part of the public debate on the cybersecurity of 5G networks relates to the implications of the continued provision of 5G infrastructure components by Huawei. Studies demonstrate low political and technical confidence in Huawei. The telecommunication company has been in the past accused of producing equipment of poor quality. According to HCSEC (Cyber Security Evaluation Centre), products and equipment produced by Huawei for the 5G infrastructure have consistently demonstrated a significant number of defects. Poor quality and defects are attributed to poor processes in production. Finite State, a cyber-security firm, also discovered that Huawei software and hardware were more likely to have flaws as compared to other competitor’s equipment. Theses defects pose a security threat to the entire network.

The presence of bug doors or backdoors may significantly affect the network’s infrastructure in case of a malicious intrusion or, even worse, would allow Huawei to access customers’ confidential data. Despite all these serious allegations against Huawei, no one has ever presented concrete evidence on whether the company is intentionally including backdoors for malicious purposes or deliberately leaving backdoors in its equipment.

Also, the public discourse has considered the connection between the Chinese government and Huawei. China has a history of perpetrating hostile cyber-attacks against adversaries, including the UK and the United States. They have been several reports that there is a close relationship tie between Huawei and the Chinese government. Many people point out that they engage in malicious financial and trading practices. The legal environment in place also suggests that the Chinese government could share every access Huawei has to telecommunication networks. According to the Chinese National Intelligence and Cybersecurity Laws of 2017, it is a requirement that firms should comply with the demands from the national intelligence or military, and no information about the corporation should be disclosed. The laws do not provide for balancing measures such as having an independent judicial oversight or right of appeal that is a major feature of the Western Democratic legal regime.

As much as all the evidence, as mentioned above, is open for interpretation and public critic, the pattern is quite clear. Huawei maintains that it is a private company concerned about profit but has the utmost respect for the laws of the country in which it operates. The company also denies the claim that it’s subject to Cybersecurity Laws and National intelligence. However, the behavior and trading practice portrayed by Huawei to-date, leave an ample room for doubt.

How 5G Expands Cyber Risks

Compared to its predecessors, 5G is more vulnerable to cyber-attacks in the following five significant ways.

5G uses a distributed software-based digital routing, unlike its predecessors, which utilize centralized hardware-defined switching. The previous generations of networks were hub-and-spoke designs, in which all issues converged at choke points and cleaned away during cyber hygiene maintenance. However, 5G software-defined network does not provide for chokepoint inspection and control as such activities are pushed outward to a web of digital routers throughout the network.

Change from physical appliances to virtualization further complicates the vulnerability of the 5G network. Software higher-level network functions are based on the well-known operating system and a well common language of the internet, making it a target for the black hats.

Because the network also operates on software, protecting software vulnerabilities within the network is not an efficient means to provide security. Gaining control of the software managing networks implies that the hacker or intruder will also have control over the network.

Additional venues of attack are created due to the expansion of bandwidth that makes 5G possible. Attackers will now aim at the small-cell antennas deployed throughout urban areas. The functionality of the cells is based on 5G’s Dynamic Spectrum Sharing capability, where various streams of information share the bandwidth in slices, and every slice has its varying degree of cyber risk. If the functions of a network are allowed by the software to shift dynamically, then there is a need to provide protection that is dynamic rather than relying on a common denominator solution.

The last threat is caused by several devices that are part of the system. 5G networks can accommodate tens of billions of devices, all of which may act as attack surfaces. Range of connected devices may vary from medical things to transportation things, to public safety things and to battlefield things, all of which have weak points which may be exploited by an individual with malicious intentions.

Fifth-generation telecommunication networks have therefore created a huge, multidimensional cyber-attack vulnerability. Because the nature of networks is redefined to form a new ecosystem of ecosystems, there arises a need for a new cyber-security strategy. Most of these vulnerabilities have been made known to manufactures and other producers, so they do in good faith what is right in an attempt to resolve the issue.

What You Should Know by Now

5G has changed every traditional assumption on network security, applications attached to the network, and security of the relevant devices within the network. Below is a list of some of the challenges experienced by Federal Communications Commission agents tasked with the mandate of resolving the emerging threats?

Cumbersome rulemaking activity due to Industrial –era procedural laws, with less optimal non-rule making activities

High incentive by the bad actors in an attempt to compromise the entire process of maintaining the protection

Fear by major stakeholders, of exposing their internally identified risk factors at the right time when a collective bargain by other stakeholders would be of great significance for the collective defense of the network

Also, the network operators who know the network infrastructure best exists as part of business structures that do not provide a conducive atmosphere for risk reduction. However, these challenges doe not mean we suspend the race to harnessing the benefits of a challenge this fifth-generation network. Instead, it presents us with a challenge to solve the need for our status quo approach to 5G.

Two Elementals to Winning the Race to 5g Networks

The real race to 5G network is whether the new infrastructure will be sufficiently secure in realizing its technological promises. As much as speedy and efficient connections may be a priority, security comes first. To ensure secure systems, there is a need to reevaluate the relationship between businesses and the government as well. The below suggestions may be too much of a departure from traditional practices, but so be it, as desperate times call for desperate measures. If 5G network security is treated normally, then the associated cyber-risks and threats will treat us abnormally. The new 5G reality justifies the below governmental and corporate actions.

1. The organization must be held responsible for the new cyber duty of care.

This first key is a reward-based policy that will encourage companies to adhere to a cyber-duty of care as opposed to the traditional penalty-driven measures. Traditionally, the duty of care was bestowed on those providing products and services, to identify and prevent any cyber-harm that could result. With the new infrastructure, there is a need for a new corporate culture. The new culture must be a place where cyber-risks are treated as an essential corporate duty and rewarded with appropriate incentives. These incentives might be tax reduction, regulatory, or any other means that can motivate societies to adhere to set standards of cyber hygiene proactively. Such a cyber-duty of care may include the following;

Shift from reactive measures to proactive measures that will ensure active cyber-preparedness

Cybersecurity starts with the 5G networks

Best practices – identify, protect, detect, respond, and recover

Incorporate security into the development and operations

2. An establishment of a new cyber regulatory paradigm by the government to establish new realities

The current procedural rules for government agencies were developed in an industrial environment where change and innovation developed relatively slow. With the advancement in technology, there is a need for a fast pace approach to the rapidly evolving network infrastructure as well as a new approach to business-government relationship. Some of the methods to use may include;

Identification and recognition of marketplace shortcomings

More effective regulatory cyber relationships with those regulated

Consumer transparency

Enhancement of inspection and certification of connected devices

We need more than contracts.

Re-engage with international bodies

Also, there is a need for an informed third-party oversight early in the 5G industry’s design and deployment cycle to categorize cybersecurity in-terms of prioritizing what critical and those to be given minimal attention.

Conclusion

As we increasingly connect life-sustaining devices to the internet, more people are going to be at risk, and others will probably die due to such impacts. This cold reality is because the internet’s connection to people and significant elements that they heavily rely on will be through vulnerable 5G networks. It is a situation that’s facilitated by a cyber cold war that is simmering below consumer awareness.

Joseph Ochieng’was born and raised in Kisumu, Kenya. He studied civil engineering as first degree and later on pursued bachelors in information technology from the technical university of Kenya. His educational background has given him the broad base from which to approach topics such as cybersecurity, civil and structural engineering. When he is not reading or writing about the various loopholes in cyber defense, the he is probably doing structural design or watching la Casa de Papel . You can connect with Joseph via twitter @engodundo or email him via josephodundoh@gmail.com for email about new article releases”